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Model checking of open pushdown systems (OPD) w.r.t. standard branching temporal logics (push- 
down module checking or PMC) has been recently investigated in the literature, both in the context of 
environments with perfect and imperfect information about the system (in the last case, the environ- 
ment has only a partial view of the system's control states and stack content). For standard CTL, PMC 
with imperfect information is known to be undecidable. If the stack content is assumed to be visible, 
then the problem is decidable and 2ExPTlME-complete (matching the complexity of PMC with per- 
fect information against CTL). The decidability status of PMC with imperfect information against 
CTL restricted to the case where the depth of the stack content is visible is open. In this paper, we 
show that with this restriction, PMC with imperfect information against CTL remains undecidable. 
On the other hand, we individuate an interesting subclass of OPDs with visible stack content depth 
such that PMC with imperfect information against the existential fragment of CTL is decidable and 
in 2EXPTIME. Moreover, we show that the program complexity of PMC with imperfect information 
and visible stack content against CTL is 2ExPTlME-complete (hence, exponentially harder than the 
program complexity of PMC with perfect information, which is known to be ExPTlME-complete). 

1 Introduction 

Verification of open systems. In the literature, formal verification of open systems is in general formu- 
lated as two-players games (between the system and the environment). This setting is suitable when the 
correctness requirements on the behavior of the system are formalized by linear- time temporal logics. 
In order to take into account also requirements expressible in branching-time temporal logics, recently, 
Kupferman, Vardi, and Wolper [13 16 1 introduce the module checking framework for the verification 
of finite-state open systems. In such a framework, the open finite-state system is described by a labeled 
state-transition graph called module, whose set of states is partitioned into a set of system states (where 
the system makes a transition) and a set of environment states (where the environment makes a transi- 
tion). Given a module jtf describing the system to be verified, and a branching-time temporal formula 
(p specifying the desired behavior of the system, the module checking problem asks whether for all pos- 
sible environments, ^# satisfies (p. In particular, it might be that the environment does not enable all 
the external nondeterministic choices. Module checking thus involves not only checking that the full 
computation tree Tj% obtained by unwinding jtft (which corresponds to the interaction of ^ with a 
maximal environment) satisfies the specification q>, but also that every tree obtained from it by pruning 
children of environment nodes (this corresponds to disable possible environment choices) satisfy (p. In 
|[T4l module checking for finite-state systems has been extended to a setting where the environment has 
imperfect information about the states of the system (see also ifTTl |9| for related work regarding im- 
perfect information). In this setting, every state of the module is a composition of visible and invisible 
variables where the latter are hidden to the environment. Thus, the composition of a module ^ with 
an environment with imperfect information corresponds to a tree obtained from T^f by pruning children 
of environment nodes in such a way that the pruning is consistent with the partial information available 
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to the environment. One of the results in Ifl4l is that CTL finite-state module checking with imperfect 
information has the same complexity as CTL finite-state module checking with perfect information, i.e., 
it is ExPTlME-complete, but its program complexity (i.e., the complexity of the problem in terms of the 
size of the system) is exponentially harder, i.e. ExPTlME-complete. 

Pushdown module checking. An active field of research is model-checking of pushdown systems. 
These represent an infinite-state formalism suitable to model the control flow of recursive sequential 
programs. The model checking problem of (closed) pushdown systems against standard regular tempo- 
ral logics (such as LTL, CTL, CTL*, or the modal 11 -calculus) is decidable and it has been intensively 
studied in recent years leading to efficient verification algorithms and tools (see for example lQ"8l l4ll3l). 
Recently, in 0|U[TT1, tne m °dule checking framework has been extended to the class of open pushdown 
systems (OPD), i.e. pushdown systems in which the set of configurations is partitioned (in accordance 
with the control state and the symbol on the top of the stack) into a set of system configurations and a set 
of environment configurations. Pushdown module checking (PMC, for short) against standard branching 
temporal logics, like CTL and CTL*, has been investigated both in the context of environments with per- 
fect information [7 ] and imperfect information QT) about the system (in the last case, the environment 
has only a partial view of the system's control states and stack content). For the perfect information set- 
ting, as in the case of finite-state systems, PMC is much harder than standard pushdown model checking 
for both CTL and CTL*. For example, for CTL, while pushdown model checking is ExPTlME-complete 
lTT9l , PMC with perfect information is 2ExPTlME-complete [7 ] (however, the program complexities of 
the two problems are the same, i.e., ExPTlME-complete HI El). For the imperfect information setting, 
PMC against CTL is in general undecidable [2], and undecidability relies on hiding information about 
the stack content. The decidability status for the last problem restricted to the class of OPDs where the 
stack content depth is visible is left open in (2]|. On the other hand, PMC with imperfect information 
against CTL restricted to the class of OPDs with imperfect information about the internal control states, 
but a visible stack content, is decidable and has the same complexity as PMC with perfect information. 
However, its program complexity is open: it lies somewhere between Exptime and 2EXPTIME Q. 

Our contribution. We establish new results on PMC with imperfect information against CTL. More- 
over, we also consider a subclass of OPDs, we call stable OPDs, where the transition relation is consis- 
tent with the partial information available to the environment. Our main results are the following. 

• The program complexity of PMC with imperfect information against CTL restricted to the class 
of OPDs with visible stack content is 2ExPTlME-hardQ even for a fixed formula of the existential 
fragment ECTL of CTL (hence, exponentially harder than the program complexity of PMC with 
perfect information against CTL, which is known to be ExPTlME-complete Q). The result is 
obtained by a polynomial-time reduction from the acceptance problem for ExPSPACE-bounded 
Alternating Turing Machines, which is known to be 2ExPTlME-complete (H. 

• PMC with imperfect information against CTL restricted to the class of OPDs with visible stack 
content depth is undecidable, even if the CTL formula is assumed to be in the fragment of CTL 
using only temporal modalities EF and EX, and their duals, and the OPD is assumed to be stable 
and having only environment configurations. The result is obtained by a reduction from the Post's 
Correspondence Problem, a well known undecidable problem lfl2l . 

• PMC with imperfect information against the existential fragment ECTL of CTL restricted to the 
class of stable OPDs with visible stack content depth and having only environment configurations 

'hence, 2ExPTIME-complete, since PMC with imperfect information against CTL restricted to the class of OPDs with 
visible stack content is known to be 2ExPTIME-complete (2) 
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is instead decidable and in 2EXPTIME. The result is proved by a reduction to non-emptiness of 
Biichi alternating visible pushdown automata (AVPA) [5], which is 2ExPTlME-complete Q. 

The full version of this paper can be asked to the author by e-mail. 

2 Preliminaries 

Let N be the set of natural numbers. A tree T is a prefix closed subset of N*. The elements of T 
are called nodes and the empty word e is the root of T. For x € T, the set of children of x (in T) 
is children (T,x) = {x- i G T \ i € N}. For x € T, a (full) path of T from x is a maximal sequence 
% = x\,X2, ■ ■ ■ of nodes in T such that x\ = x and for each 1 < / < \lt\, Xj + \ G children(r,x,) . In the 
following, for a path of T, we mean a path of T from the root e. For an alphabet E, a E-labeled tree is a 
pair (r, V), where T is a tree and V : T — > E maps each node of T to a symbol in E. Given two E-labeled 
trees (r, V) and (T',V'), we say that (T,V) is contained in (T',V') if T C r' and V'(jc) = V(x) for each 
jc € r. In order to simplify the notation, sometimes we write simply T to denote a E-labeled tree (T,V). 

2.1 Module checking with imperfect information 

In this paper we consider open systems, i.e. systems that interact with their environment and whose be- 
havior depends on this interaction. Moreover, we consider the case where the environment has imperfect 
information about the states of the system. This is modeled by an equivalence relation = on the set of 
states. States that are indistinguishable by the environment, because the difference between them is kept 
invisible by the system, are equivalent according to =. We describe an open system by an open Kripke 
structure (called also module iPTolO ^# = (AP, S = S sy U S en , sq , R, L, =} , where AP is a finite set of atomic 
propositions, S is a (possibly infinite) set of states partitioned into a set S sy of system states and a set S en 
of environment states, and sq € S is a designated initial state. Moreover, R C S x S is a transition relation, 
L : S — > 2 AP maps each state s to the set of atomic propositions that hold in s, and = is an equivalence 
relation on the set of states S. Since the designation of a state as an environment state is obviously known 
to the environment, we require that for all states s,s' such that s = s', s £ S en iff s' € S en . For each s G 5, 
we denote by vis(s) the equivalence class of s w.r.t. =. Intuitively, vis(s) represents what the environment 
"sees" of s. A successor of s is a state s' such that (s,s') G R. State s is terminal if it has no successor. 
When the module is in a non-terminal system state * € 5 VV , then all the successors of s are possible 
next states. On the other hand, when ^# is in a non-terminal environment state 5 E S e „, then the environ- 
ment decides, based on the visible part of each successor of s, and of the history of the computation so 
far, to which of the successor states the computation can proceed, and to which it can not. Additionally, 
we consider environments that cannot block the system, i.e. not all the transitions from a non-terminal 
environment state are disabled. For a state s of j# , let T^_ s be the computation tree of ^# from s, i.e. 
the 5-labeled tree obtained by unwinding jtft starting from s in the usual way. Note that r^ v describes 
the behavior of under the maximal environment, i.e. the environment that never restricts the set of 
next states. The behavior of ^# under a specific environment (possibly different from the maximal one) 
is formalized by the notion of strategy tree as follows. For a node x of the computation tree T^ jS , let 
s\ , . . . , s p be the sequence of states labeling the partial path from the root to node x. We denote by vis(x) 
the sequence vis(ji), . . . ,vis(j p ), which represents the visible part of the (partial) computation s\,...,s p 
associated with node x. A strategy tree from s is a 5-labeled tree obtained from the computation tree 
Tjz, s by pruning from Tj# s subtrees whose roots are children of nodes labeled by environment states. 
Additionally, we require that such a pruning is consistent with the partial information available to the 
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environment: if two nodes x\ and X2 of Tjg s are indistinguishable, i.e. vis(xi) = vis(x2), then the subtree 
rooted at xi is pruned iff the subtree rooted at X2 is pruned as well. Formally, a strategy tree of ^# from 
a state s € S is a 5-labeled tree ST such that ST is contained in Tjt^ and the following holds: 

• for each node x of ST labeled by a system state, children(ST,x) = children {Tjg^x)", 

• for each node x of ST labeled by an environment state, ch i Id ren (ST, x) ^ if child rer\(Tj^ iS ,x) ^ 0; 

• for all nodes xi and xi of Tj{. s such that vis(xi ) = vis(x2), xi is a node of ST iff X2 is a node of ST. 
Note that if xi is a child of an environment node, then so is X2. 

For a node x of ST, state (x) denotes the 5-state labeling x. A strategy tree of j$ is a strategy tree of j$ 
from the initial state. In the following, a strategy tree ST is seen as a 2 AP -labeled tree, i.e. taking the label 
of a node x to be L(state(x)). We also consider a restricted class of modules. A module is stable 
(w.r.t. visible information) iff for all states s\ and S2 s.t. vis(ji) = vis(^2) and both s\ and S2 have some 
successor, it holds that: for each successor s[ of s\, there is a successor s' 2 of S2 s.t. vis^j) = vis(s 2 ). 
Note that this notion is similar to that given in [ 17 ] for standard imperfect information games. 

CTL Module Checking: as specification logical language, we consider the standard branching temporal 
logic CTL ifTOl . whose formulas q> over AP are assumed to be in positive normal form, i.e. defined as: 

(p := true | prop \ ^prop \ (p V (p \ (p A (p \ EX(p \ AX(p \ E((p U (p) | A(<p U (p) \ E((p U (p) \ A((p U <p) 

where prop € AP, E (resp., A) is the existential (resp., universal) path quantifier, X and U are the next 
and until temporal operators, and U is the dual of U . We use classical shortcuts: EFcp is for E(true U (p) 
("existential eventually") and AE(p is for A(trueU (p) ("universal eventually"), and their duals AG(p := 
-iEF-i<p and EG<p := -AF-i<p. We also consider the universal (resp., existential) fragment ACTL (resp., 
ECTL) of CTL obtained by disallowing the existential (resp., universal) path quantifier, and the fragment 
CTL(EF, EX, AG, AX) using only temporal modalities EF and EX, and their duals. For a definition of the 
semantics of CTL (which is given with respect to 2 AP -labeled trees) see [ 10]. 

For a module ^ and a CTL formula (p over AP, ^# reactively satisfies (p, denoted ^# \= r q>, if all the 
strategy trees of M (from the initial state) satisfy (p. Note that M ^ r (p is not equivalent to jtft \= r -i<p. 
Indeed, ^ ty= r cp just states that there is some strategy tree ST satisfying -i<p. 



2.2 Pushdown Module Checking with Imperfect Information 

In this paper we consider Modules induced by Open Pushdown Systems (OPD, for short), i.e., Pushdown 
systems where the set of configurations is partitioned (in accordance with the control state and the symbol 
on the top of the stack) into a set of environment configurations and a set of system configurations. 

An OPD is a tuple y = (AP,Q,qo,r,b,A,iJ.,Env}, where AP is a finite set of propositions, Q is a 
finite set of control states, qo 6 Q is the initial control state, T is a finite stack alphabet, b ^ T is the 
special stack bottom symbol, A C (Q x Q) U (Q x Q x T) U (Q x (TU {b}) x Q) is the transition relation, 
H : Q x (ru {b}) — > 2 AP is a labeling function, and Env C Q x (ru {b}) is used to specify the set of 

/ P us h(7) / 

environment configurations. A transition of the form (q,q , y), written q > q , is a push transition, 

where y ^ b is pushed onto the stack (and the control changes from q to q'). A transition of the form 

(q, y,q'), written q P ° P ^> q', is a pop transition, where y is popped from the stack. Finally, a transition 
of the form (q,q'), written q — > q', is an internal transition, where the stack is not used. We assume that 
Q C 2 IUH , where / and H are disjoint finite sets of visible and invisible control variables, and T C 2 IrUHr , 
where Ir and Hr are disjoint finite sets of visible and invisible stack content variables. 

A configuration or state of 5? is a pair (g, a), where q € Q and a G T* • b is a stack content. We 
denote by top(a) the top of the stack content a, i.e. the leftmost symbol of a. For a control state q £ Q, 
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the visible part of q is vis(g) = qHl. For a stack symbol 7 € T, if 7 C // r and 7 7^ 0, we set vis(7) = £, 
otherwise we set vis(7) = 7Pl/r- By setting vis(7) = £ whenever 7 consists entirely of invisible variables, 
we allow the system to completely hide a push operation. The visible part of a configuration (q,a) is 
(vis(<7),vis(a)), where for a = 70 ... y„ ■ b, vis(ce) = vis(%) . ..v\s(y n ) ■ b. The stacfc content (resp., the 
control) is visible if //r = (resp., // = 0). Moreover, the stac& content depth is visible if vis(7) 7^ £ 
for each stack symbol 7 € T. Since the designation of an OPD state as an environment state is known 
to the environment, we require that for all states (q,cc) and (q',cc') such that (vis(g), vis(top(a))) = 
(vis(#'),vis(top(a'))), (<7,top(a)) e Env iff (</,top(a')) G Erav. The OPD ^ induces an infinite-state 
module = (AP,S = S sy US en ,so,R,L, =), defined as follows: 

• S sy US en is the set of configurations of «5^, and 5 en is the set of states (q, a) s.t. (g,top(a)) E Env; 

• so = (qo,\>) is the initial configuration (initially, the stack is empty); 

push(r) 



• ((q,a), (q',a')) £ R iff: or (1) q—>q'<EA and a' = a, or (2) g > q' G A and a' = 7- a, or (3) 

P°p(7) 

q > q G A, and either a = a = 

that removes b also pushes it back); 



q P ° P ^ r \ G A, and either a' = a = 7= bor7^b and a = 7 • a' (note that every pop transition 



• L((q,a)) = ii((q, top(a))) for all (q,a) e 5; 

• for all (q,a),(q' ,a') £ S, we have that (q,a) = {q',ct r ) iff (vis(<?), vis(a)) = (vis(</), vis(a')). 

A strategy tree of 5? is a strategy tree of j&y from the initial state. Given (q, 7) € 2 x (ru {b}), (q, 7) 

, p°p(7) / p us ^(y) / / 

is non-terminal (w.r.t. y) iff: or q — > q € A or q > q € A or q > q S A for some q € Q and 

Y € r. Note that a state (g, a) of has some successor (in ^(y) iff (/?,top(a)) is non-terminal. We also 
consider a subclass of OPD. An OPD 5? = (AP,Q,qo,r,i>,A,n,Env) is stable iff for all non-terminal 
pairs (91,71), (^2,72) £ 2 X (ru {b}) s.t. vis(gi) = vis^) an d vis(7i) = vis(72), the following holds: 

• if q\ — > q\ € A, then there is 92 - > 4% € A such that vis(</,) = vis(<7 2 ); 

• if qi push ^> q\ E A, then there is 92 push ^> q^EA such that v\s(q[ ) = vis(g 2 ) and vis(7) = vis(/); 

pop(yi) . P p(72) / / / 

• if q\ > q l € A, then there is 92 ^ g 2 ^ ^ sucn tnat v ' s wi ) = v ' s (<?2)- 

Remark 1. Note that for a OPD 5^ with visible stack content depth, 5^ is stable iff \My> is stable. 

In the rest of this paper, we consider OPD 5? where each state is labeled by a singleton in 2 AP (for a 
given set AP of atomic propositions), hence, the strategy trees can be seen as AP-labeled trees. 

The pushdown module checking problem (PMC ) with imperfect information against CTL is to de- 
cide, for a given OPD and a CTL formula q>, whether \= r (p. 



3 Pushdown module checking for OPD with visible stack content 

In this section, we prove the following result. 

Theorem 1. The program complexity of PMC with imperfect information against CTL restricted to the 
class of OP Ds with visible stack content is 2ExPTlME-/iarc?, even for a fixed ECTL formula^ 

Theorem Q] is proved by a polynomial-time reduction from the acceptance problem for EXPSPACE- 
bounded alternating Turing Machines (TM) with a binary branching degree, which is known to be 
2ExPTlME-complete 0. In the rest of this section, we fix such a TM machine !? = (A,Q = QyU 



2 for program complexity, we mean the complexity of the problem in terms of the size of the OPD, for a fixed CTL formula 
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£>3,qo,8,F), where A is the input alphabet containing the blank symbol #, (resp., Qy) is the set of exis- 
tential (resp., universal) states, qo is the initial state, 8:QxA^{QxAx {<— , — >}) x {Q x A x {<— , — >■}) 
is the transition function, and F C 2 is the set of accepting states. Thus, in each step, ^ overwrites the 
tape cell being scanned, and the tape head moves one position to the left (•<— ) or right (—>■). We fix an 
input w, n S A* and consider the parameter w = |w,- n | (we assume that n > 1). Since J?" is EXPSPACE- 
bounded, we can assume that 2f uses exactly 2" tape cells when started on the input Wj n . Hence, a 
TM configuration (of ^ over w;„) is a word C = wi ■ (a,q) ■ W2 € A* • (A x Q) ■ A* of length exactly 
2" denoting that the tape content is w\ ■ a ■ w%, the current state is q, and the tape head is at position 
|wi| + 1. C is accepting if the associated state q is in F. We denote by succl{C) (resp., succr{C)) 
the TM successor of C obtained by choosing the left (resp., right) triple in S(q,a). The initial config- 
uration Ci n is (wi n (0),qo),Wi„(l), . . . ,Wi n (n — 1 ),#,#,... ,#, where the number of blanks at the right of 
Wi n (n — 1) is 2" — n . For a TM configuration C = C(0), . . . ,C(2 n — 1), the 'value' ut of the z'-th symbol 
of succi{C) (resp., succr{C)) is completely determined by the values C(z — 1), C(z') and C(z' + 1) (tak- 
ing C(i + 1) for i = 2" — 1 and C(i — 1) for z = to be some special symbol, say _L). We denote by 
nexti{C(i — 1),C(/),C(/+ 1)) (resp., nextR{C{i — 1),C(/),C(/+ 1))) our expectation for m, (these func- 
tions can be trivially obtained from the transition function 8 of 

We prove the following result, hence, Theorem [Qfoilows (note that ECTL is the dual of ACTL). 

Theorem 2. One can construct in polynomial time {in the sizes of ^ and Wi„) an OPD with visible 
stack content such that 3? accepts Wj n iff there is a strategy tree of 5? satisfying a fixed computable 
ACTL formula (p {independent on ST andwj n ). 

In the following, first we describe a suitable encoding of acceptance of & over Wi„. Then, we 
illustrate the construction of the OPD of Theorem |2]based on this encoding. 

Preliminary step: encoding of acceptance of 3? over w\ n . We use the following set T of symbols 
(which will correspond to the stack alphabet of the OPD 5? of Theorem |2]ill 

r = AU{L, J R ) ! l ! 3,V}u(ft}x{i,l ) ...,B}) 

where A consists of the triples {u p ,u,u s ) such that u € A U (A x Q) and u p ,u s E A U (A x Q) U {^}. 
Intuitively, u p ,u,u s represent three consecutive symbols in a TM configuration C, where u p = _L (resp., 
u s = _L) iff u is the first (resp., the last) symbol of C. First, we describe the encoding of TM configurations 
C = C(0), . . . ,C(2" — 1) by finite words over T. Intuitively, the encoding of C is a sequence of 2" blocks, 
where the z'-fh block (0 < i < 2" — 1) keeps tracks of the triple (C(z — 1),C(/),C(/ + 1)) and the binary code 
of position i (cell number). Note that the cell numbers are in the range [0,2" — 1] and can be encoded by 
using n bits. Formally, a TM block is a word over T of length n + 2 of the form hi = t,bit\ ,bit n , (t|,/i), 
where t £A, bit\ ,bit n € {0, 1}, and l± is the position i of the first bit bit[ (from left to right) such that 
bit) = if such a 0-bit exists, and l± = _L otherwise. The content CON(/W) of bl is t and the block number 
\D{bl) of bl is the integer in [0,2" — 1] whose binary code is bit\ ,bit n (we assume that the first bit is 
the least significant one). Fix a pseudo TM configuration C = C(0), . . . ,C{k — 1) with k > 1, which is 
defined as a TM configuration with the unique difference that the length k of C is not required to be 2". 
We say that C is initial if C corresponds to the initial TM configuration Q n with the unique difference 
that the number of blanks at the right of w,-„(n — 1) is not required to be 2" — n. A TM pseudo code of C 
is a word wc = bio ■ . . . ■ bl^-i ■ tag over T satisfying the following, where C{—l),C{k) = _L: 

• tag € {3, V} and tag = 3 iff C is existential (i.e., the associated TM state is in £2g); 

• each W ; is a TM block such that CON(«/) = (C(z - l),C(z),C(z + 1)); 

3 Since the stack content of ^ is visible, we assume that each stack symbol in T consists exactly of a visible stack content 
variable. Hence, we identify the set T of stack symbols with the set of visible stack content variables. 
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• ID(W ) = and ID(M*_i) = 2" - 1. Moreover, for each < h< k- 1, \D(bl h ) + 2" - 1. 

If & = 2" and additionally, for each i, ID(bli) = i, then we say that the word wq is the TM code of the TM 
configuration C. Given a non-empty sequence v = C\, . . . ,C p of pseudo TM configurations, a pseudo 
sequence-code ofv is a word over TU {b} (recall that b is the special bottom stack symbol of an OPD) of 
the form w v = b • Wq • dir 2 ■ Wc 2 ■ ■ ■ ■■ dir p ■ wc such that dir 2 ,. ■ . ,dir p G {L,R} and each wq is a pseudo 
code of Q. The word w v is initial if Ci is initial, and is accepting if C p is accepting and each Cj with j < p 
is not accepting. Moreover, if, additionally, each Q is a TM configuration and wq is a code of Cj, then we 
say that w v is a sequence-code. Furthermore, w v is faithful to the evolution of 37 if C; = succdiniQ-i) 
for each 2 < i < p. We encode the acceptance of ^ over Wj„ as follows, where a TU {b}-labeled tree 
is minimal if the children of each node have distinct labels. An accepting pseudo tree-code is & finite 
minimal TU {b}-labeled tree T such that for each path n of T, the word labeling n, written w n , is an 
initial and accepting pseudo sequence-code (of some sequence of pseudo TM configurations) and: 

• each internal node labeled by 3 {existential choice node) has at most two children: one, if any, is 
labeled by L, and the other one, if any, is labeled by R; 

• each internal node labeled by V (universal choice node) has exactly two children: one is labeled 
by L, and the other one is labeled by R. 

If for each path % of T, w n is a sequence-code, then we say that T is an accepting tree-code. More- 
over, if for each path % of T , w K is faithful to the evolution of 37 ", then we say that T is fair. 
Remark 2. 37 accepts Wj n iff there is an accepting fair tree-code. 

Construction of the OPD 67' of Theorem |2j We construct the OPD 6" in a modular way, i.e. 67 is 
obtained by putting together three OPD 67 > §,67'\, and «5^. Intuitively, the first OPD 6"$ does not use 
invisible information and ensures that the set of its finite strategy trees is precisely the set of accepting 
pseudo tree-codes. The second OPD 6"\, which does not use invisible information, is used to check, 
together with a fixed ACTL formula, that an accepting pseudo tree-code is in fact an accepting tree-code. 
The last OPD 6*2, which is the unique 'component' which uses invisible information, is used to check, 
together with a fixed ACTL formula, that an accepting tree-code is fair. First, we consider the OPDs 67$ 
and 67\ . For a finite word w, we denote by the reverse of w. 

Lemma 1. One can build in polynomial time {in the sizes of 37 and W;„) an OPD 6^0 with no invisible 
information, stack alphabet T, set of propositions TU {b}, and special terminal control state pfj n s.t. 
6% has only push transitions and the set of its finite strategy trees ST is the set of accepting pseudo tree- 
codes. Moreover, for each node x of ST, the stack content of state(x) is the reverse of the word labeling 
the partial path from the root to x, and state(x) has control state pfi n and it is a system state ifx is a leaf. 
Lemma 2. One can build in polynomial time {in the sizes of 37 and Wi n ) an OPD 6^1 with no invisi- 
ble information, stack alphabet T, and set of propositions {main\,check\,good\ \ s.t. 67\ has only pop 
transitions and for each state s = (po, a R ) such that po is the initial control state and a is a TM pseudo 
sequence-code, the following holds: s is labeled by main\, there is a unique strategy tree ST from s, ST is 
finite, and (X is a sequence code iff ST satisfies the fixed ACTL formula (pchecki = AG{checki — > AFgoodi ). 
Lemma 3. One can build in polynomial time {in the sizes of 37 and w\ n ) an OPD 6^2 with invisible infor- 
mation and visible stack content, stack alphabet T, and set of propositions AP = {main2,check 2 ,select2, 
good2}, s.t. 6^2 has only pop transitions and for each state s = (jjq, a R ), where po is the initial control 
state and (X is a TM sequence-code, the following holds: state s is labeled by main2, each strategy tree of 
6^2 from s is finite, and a is faithful to the evolution of 37 iff there is a strategy tree ST from s satisfying 
the fixed ACTL formula (p c heck 2 = AG(c/jec&2 [((AXcAec^) V (AX.se/ecf2)) A AFgoo^])- 

4 a terminal control state is a control state from which there is no transition 
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Proof. We informally describe the construction of S^i, which additionally satisfies the following: (1) 
the labeling function can be seen as a mapping : P — > AP, where P is the set of control states, and (2) 
for each control state p, vis(p) = }i(p). Assume that initially ,5^2 is in state (po,cc R ), where po is the 
initial control state and a is a sequence-code. Note that a is faithful to the evolution of 2? iff for each 
subword^of a R of the form (blf ■ j8f ) • dir ■ fi R such that fa • bl\ is a prefix of a TM code, bl\ is a TM block 
with CON(Wi) = (u\ tP ,ui,ui iS ), and fa is a TM code, the following holds: u\ = next c i ir (u2. p ,U2,U2^), 
where («2,p,"2,W2,.v) = COUibfa) and bh is the unique TM block of fa such that \D(bh) = ID(Wi). 
Then, starting from the ma/«2-state (po,a R ), the mairi2-copy of 5?% pops a R (symbol by symbol) and 
terminates its computation (a maw2-state is labeled by mainj) with the additional ability to start by 
internal nondeterminism (i.e., the choices are made by the system) n auxiliary copies (each of them in 
a check2 -state) whenever the popped symbol is in {\\} x {_L, 1, . . . ,n}. Let Z| be the currently popped 
symbol in {\\} x {_L, 1, ... ,n}. Hence, the current stack content is of the form blf • a', where bl\ is 
a TM block. Assume that a' contains some symbol in {L,R} (the other case being simpler), hence 
a' is of the form j3f • dir ■ [5 R ■ a" such that fa • bl\ is a prefix of a TM code, bl\ is a TM block with 
CON(Wi) = (wijjjMijMijj), and fa is a TM code. Then, the i-th check2 copy (1 < i < n), which visits 
states labeled by check2, deterministically pops the stack (symbol by symbol) until the symbol dir and 
memorizes by its finite control the i-th bit bitj of bl\ and the symbol u\ in the content QOH(bl]) of 
bl\. When the symbol dir € {L,R} is popped, then the i-tii check.2 copy pops p R and terminates its 
computation with the additional ability to start by external nondeterminism (i.e., the choices are made 
by the environment) an auxiliary copy of S% in a selech-state (i.e., a state labeled by select2) whenever 
the first symbol of the reverse of a TM block bh of fa is popped. The select 2 -copy, which keeps track of 
bit} , Mi, and dir, deterministically pops bl R and memorizes by its finite control the i-th bit bitf of M2 and 
CON(W 2 ). When CON(W 2 ) = ("2,p> M 2>"2,j) is popped, then the selech-copy terminates its computation, 
and moves to a good2 -state iff bitf = bit} and u\ = nextdi r {u2,p,U2,U2, s )- 

Let ST be a strategy tree of 5^2 from state (po,a R ). For each c/jec^-node x of ST, let main(x) be 
the last main 2 -node in the partial path from the root to x. Let x and y be two distinct check 2 -nodes of 
ST which have the same distance from the root and such that main(x) = main(y). First, we observe that 
the stack contents of x and y coincide, and x and y are associated with two distinct check2 -copies. Since 
for all control states p, vis(p) = n(p), it follows that for each p G {check2,select2}, x has a /?-child iff y 
has a p-child. Assume that ST satisfies the fixed ACTL formula (p c heck 2 - Let x be an arbitrary main node 
of ST such that the stack content of x is of the form (blf ■ j8f ) • dir ■ fi R ■ a', where bl\ is a TM block, 
fa -bl\ is the prefix of a TM code, dir € {L,R}, and fa is a TM code. Let CON(Wi) = (u\ p ,u\,u\^). 
By construction, it follows that for each 1 < i <n, x has a check2-child x, such that the subtree rooted at 
Xi is a chain which leads to a TM se/ec?2 -block bl' 2 of fa followed by a goo^-node such that the i-th bit 
of bl' 2 coincides with the i-th bit of bl\ and u\ = nextdi r (u'i^,U'i,u%^, where («2,p,M2)K2,j) = CON(bl' 2 ). 
Moreover, by the observation above, it follows that all the n check2 -copies associated with the n check2- 
children of x select the same TM block bh of fa. Since the i-th bit of bh coincides with the i-th bit of 
bl\ for each 1 < i < n, bh is precisely the TM block of fa have the same cell number as bl\. It follows 
that a is faithful to the evolution of 2? . Vice versa, if a is faithful to the evolution of 3?, it easily follows 
that there is a strategy tree from (po, a R ) satisfying (p c heck 2 - D 

Let y ,yu and ^ 2 be the OPDs of Lemmata [Q El andgj respectively. W.l .o.g. we assume that 
the sets of visible and invisible control variables of these OPDs are pairwise disjoint. Hence, their sets 
of control states are pairwise disjoint as well. The OPD 5? satisfying Theorem |2] is obtained from 



given a word w, a finite word w' is a subword of w if w can be written in the form w = w\ • w 1 ■ W2 
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=5*0, and =5*2 as: (1) the set of control states is the union of the sets of control states of =5*o,=5*i, 
and =5*2, and the initial control state is the initial control state of =5*b, (2) the transition relation con- 
tains all the transitions of =5*o,=5*i, and =5*2 and, additionally, two internal transitions from the special 
terminal control state pf\ n of =5*b to the initial control states of =5*i and =5*2, respectively, and (3) the la- 
beling function and the partitioning in environment and system states are obtained from those of =5*o, =5*i, 
and =5*2 in the obvious way. Let <p c hech an( ^ ( Pcheck 2 De the fixed ACTL formulas of Lemmata |2] and |3j 
and let <p finite = AF(AX-ifrae) be the fixed ACTL formula asserting that a (finitely-branching) tree is 
finite]! Note that a state of =5*' is a state of =5*b iff it is not labeled by any proposition in Propfj xe d = 
{maini,main2,check\,check2,goodi,good2,select2}- By Lemmata[TJ[2j and[3l we easily obtain that 
Claim: there is an accepting fair tree-code (i.e., 2? accepts w,„) iff there is a strategy tree of =5*^ satisfying 
the fixed ACTL formula (p finite A hG({/\ pePropfmd -./?] — > [Ai=i AX(mc?/« ; (pcheck,)])- 
By the claim above, Theorem |2] follows, which concludes. 

4 Pushdown module checking for OPD with visible stack content depth 

4.1 Undecidability results 

In this subsection, we establish the following result. 

Theorem 3. PMC with imperfect information against CTL restricted to OP Ds with visible stack content 
depth is undecidable, even if the CTL formula is assumed to be in the fragment CTL (EF, EX, AG, AX) 
and the OPD is assumed to be stable and having only environment configurations. 

Theorem [3] is proved by a reduction from the Post's Correspondence Problem (PCP, for short) llLTI . 
An instance of PCP is a tuple = ((«},.. • 5 M n)> (wf , ... ,ufy), where n > 1 and for each 1 < i < n, 
u) and uf are non-empty finite words over an alphabet A. Let [n] = {1, . . . ,n}. A solution of J 1 is 
a non-empty sequence ..,ik of integers in [n] such that u\ ■ u} 2 ■ . .. ■ uj = u\ ■ uf ■ . . . ■ uj k . PCP 

consists in checking for a given instance ', whether .y admits a solution. This problem is known to be 
undecidable 021. In the rest of this section, we fix a PCP instance = ((«},...,«„), (u\, ... ,w„)) and 
prove the following result, hence Theorem |3]follows. 

Theorem 4. One can build a stable OPD =5*' with visible stack content depth and having only environ- 
ment configurations, and a CTL(EF, EX, AG, AX) formula <p such that J? has no solution iff \= r (p. 

In order to prove Theorem |U first we describe a suitable encoding of the set of solutions of J 1 . Some 
ideas in the proposed encoding are taken from 0], where emptiness of alternating automata on nested 
trees is shown to be undecidable. 

Preliminary step: encoding of the set of solutions of J? . We use the following set AP of atomic 

propositions: AP = AU[«]L)([n] x {t^}) U {b,endi,end2,prev,succ,no matc h, match, Tj , T2, J-i, J-2, {>}■ 
We denote by MAX the maximum of the sizes of the words in and by A MAX the set of words w € A + 
such that \w\ < MAX. Let i\ , . . . , 4 £ [n] + (i.e., a non-empty sequence of integers in [«]) and w € A + (i.e., 
a non-empty finite word over A). A marked {i\ , . . . , it, w)-word is a finite word v over AP obtained from 
the word b • i\ ■ . . . ■ 4 • end\ ■ w R ■ end2 by replacing at most one integer occurrence ij, where 1 < j < k, with 
(ij, \\). The marked (i\ ,4, w)-word v is good if it contains exactly one marked integer occurrence. 
A (good) marked word is a (good) marked («i , . . . , u-, w)-word for some i\, . . . , € [n] + and w € A + . A 
marked tree T m arked is a minimal AP '-labeled tree satisfying the following: 



6 note that a strategy tree of a OPD is finitely-branching, i.e. the set of children of any node is finite. 
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• each finite path of T mar ked is labeled by a marked word; 

• for all z'i , . . . , 4 G [n] + and w G A + , if there is a finite path of T mar ked labeled by a marked (4 , . . . , 4, 
w)-word, then for each marked (4 , . . . , 4, w)-word v, there is a path of T mar ked labeled by v. 

• each infinite path of Tmarked is labeled by a word in {b} • [n] a U {b} • [n\* ■ [n] x {t}} • [n] w U {b} • [n]* ■ 

Mx-W-M*- Hi}-^ ffl S 

Note that 4 , . . . , 4 is a solution of ^ iff there is a word w G A + which can be factored into u} -u\ 2 - ...-u\ 
and similarly into m? . In order to express this condition, we define suitable extensions of the 

marked trees. First, we need additional definitions. 

For each t = 1,2, a f-witness for w is a. finite minimal AP '-labeled tree r v (, satisfying the following: T' v 
consists of a main path labeled by a word of the form L t ■ W\ ■ T t ■ ■ ■ ■ ■ T t ■ wi ■ T t such that: 

• w\,...,wi G A MAX and w\ ■ . . . ■ wi = w; 

• each T f -node has an additional child x, which does not belong to the main path, such that the 
subtree rooted at x is a finite chain (called secondary chain), whose nodes are labeled by <0. 

Let xt be the i th T,-node along the main path, where 1 < i < I: we denote by length (x,-) the length of 
the associated secondary chain, by word(^,) the word w,-, and by suffix(x ; ) the (possibly empty) word 
vv/+i, . . . ,w/. An extension of a f-witness T„ for w is a. finite minimal AP-labeled tree ET^, obtained 
from Tl by extending each secondary chain of T x w with an additional (leaf) node labeled by a symbol in 
{prev, succ ,no matc h , match} . We say that T' v is the support of ET' V . For p G {prev, succ ,no matc h , match}, 
we say that a T r node of ET^, is of type p if the secondary chain associated with x lead to a /j-node. Given 
a good marked (i\ , . . . ,4,w)-word v = b • i\ ■ . . . ■ ij-i ■ (ij, t|) • . . . • 4 • • w R ■ end-2, we say that ET^ is 
compatible with v iff for each T r node x along the main path of ET' V , the following holds: 

• length(x) G {|suffix(jc)| + 1, . . . , |suffix(x)| +k}. Moreover, if length(x) > |suffix(x)| + k — j + 1 
(resp., length(x) < |suffix(x)| +k — j + 1), then x is of type 'prev' (resp., 'succ'); 

• if length(x) = |suffix(x)| +k — j+ 1 and word(x) = u\. (resp., word(x) ^ u\), then x is of type 
'match' (resp., 'no matc h')- 

A marked tree with witnesses WT mar k e d is a minimal A/Mabeled tree such that there is a marked tree 
Tmarked so that WT ma rked is obtained from T ma rked as follows: 

• for each leaf x of Tmarked (note that x is an en^-node), let v be the marked word labeling the partial 
path from the root to x. Then, if v is good, we add two children x\ and X2 to x such that for each 
t = 1,2, the subtree rooted at x t is an extension of a f-witness compatible with v; 

• well-formedness requirement: let w G A + and 4, . . . ,4 G and x and j be two m^-nodes of 
WT ma rked such that the associated marked words are good (4, ■ • • , 4, w) -marked words. Then, we 
require that for each t = l,2, the two subtrees rooted at the _L r child of x and y, respectively, (which 
are extensions of ^-witnesses) have the same support. 

Proposition 1. admits a solution iff there is a marked tree with witnesses WT„ mr ked having some 
end2 -node and such that for each _L ? -node x (t = 1,2), the subtree E T* rooted at x satisfies the following: 

• ET* has no 'no matc h -nodes and there is exactly one node ofET* which is labeled by 'match'; 

• no T t -node of type 'match' or 'succ' is strictly followed by a T t -node of type 'match' or 'prev'. 

7 this last condition is irrelevant in the encoding of the set of solutions of . It just reflects, as we will see, the behavior of 
the OPD of Theorem |4] 
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By Proposition \T\ we easily deduce the following. 

Proposition 2. One can construct a C77_(EF, EX, AG, AX) formula y/> such that J? admits a solution if 
and only if there is a marked tree with witnesses WT mar k e d which satisfies y/>. 

Since CTL(EF, EX, AG, AX) is closed under negation, Theorem @]directly follows from Proposition |2] 
and the following lemma. 

Lemma 4. One can construct a stable OPD 3 with visible stack content depth and having only envi- 
ronment configurations, and a C77_(EF, EX, AG, AX) formula such that the set of strategy trees of 3 
which satisfy corresponds to the set of marked trees with witnesses. 

Proof. We informally describe the construction of the stable OPD 3* = {AP,Q,qo,r,b,A,jj,,Env). Each 
state of 3 is an environment state, i.e. Env = Q x (ru {b}), and the labeling function p. can be seen as 
mapping p : Q — > AP. The sets /p and of visible and invisible stack content variables are given by 
/ r = AU [n] and H T = Then, T is given by F = {{/} | y G 7 r } U {{i, \\}\ie [n]}. We identify {y} 
with y and {/, \\} with (/, \\). Hence, T corresponds to the set A U [n] U ([n] x {\\}). Note that vis(y) / £ for 
each 7 € r. Hence, the stack content depth of is visible and: 

• Property A: for all y, / G T, vis(y) = vis(7 / ) iff either 7 = / or 7, / G {/, (/, t|)} for some i G [n]. 
Furthermore, the definition of p and P ensures the following: 

• Property B: for all q, q' GP, vis(<7) = vis(g') iff: (1) or p(q) = p{q[), or (2) p(q),p(q') G {/, (i,t|)} 
for some / G [n], or (3) p(q),p(q') G {n0 ma/c /,,mafc/i,prev,swcc}lj 

First phase: generation of marked words. Starting from the initial configuration (whose stack content 
and propositional label is b), the OPD generates symbol by symbols by external nondeterminism, 
marked words. Whenever a symbol in A U [n] U ([n] x {\\}) is generated, at the same time it is pushed 
onto the stack. Symbols in {endi , end2 } are generated by internal transitions that do not modify the stack 
content. The OPD 3 keeps track by its finite control whether there is a marked integer in the prefix of 
the guessed marked word generated so far. In such a way, 3 can ensure that during the generation of 
a marked word, at most one integer occurrence in [n] is marked. Let T be the set of AP-labeled trees T 
such that there is a strategy tree ST of 5? so that T is obtained from ST by pruning the subtrees rooted at 
the children of ercci^-nodes. Then, Properties A and B above ensure that T is the set of marked trees. 

Second phase: generation of extensions of t-witnesses, where t = l,2. Assume that 3 is in an en^-state 
s associated with some node x s of the computation tree of 3 from the initial state. By construction, 
the partial path from the root to x s is labeled by some marked word v. If v is not good, then s has no 
successors. Now, assume that v is good, hence, v is of the form b • i\ ■ . . . • (ij, t]) • . . . • ik ■ end\ ■ w R ■ end2, 
where w G A + and ii , . . . , 4 G [n] + . By construction, the stack content in s is given by w • ik • ■ ■ ■ ■ (ij, \\) • 
...•/lb. Then, from state s, 3 splits in two copies: the first one moves to a configuration s\ labeled by 
J_ 1 and the second one moves to configuration S2 labeled by ±2 (in both cases the stack content is not 
modified). Fix t = 1,2. From state s t , 3 generates by external nondeterminism extensions of /-witnesses 
compatible with the marked word v as follows. Finite words of the form w\ ■ T t ■ . . . ■ T t ■ wi ■ T t , where 
w\ , . . . , w; G A MAX and w\ ■ . . . ■ wi = w, labeling main paths of /-witnesses, are generated as follows. The 
symbol T, is generated by internal transitions which do not modify the stack content. Whenever the 
symbol ± t (resp., T,) is generated, 3 pops (resp., can pop) the stack symbol by symbol and generates 



In fact, in order to ensure that 5? is stable, Property B is slightly more complicated. 

9 i.e., the transitions in this phase lead to configurations labeled by propositions in {end\ , enc/2} UA U [n] U([n] x {tj}) 
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the current popped symbol (with the restriction that a symbol can be popped iff it is in A). At the same 
time, y keeps track by its finite control of the string w s E A MAX popped so far. When \w s \ = MAX, 
then y deterministically moves to a T,-connguration (without changing the stack content). If instead 
\w s \ < MAX, then y either continues to pop the stack content (if the top of the stack content is in A) or 
moves to a T ; -configuration (without changing the stack content). Additionally, from a T r configuration, 
y can also choose to move to a ^-configuration s^ without changing the stack content. In s^, y keeps 
track in the control state of the word w s G A MAX (popped from the stack) and associated with the previous 
T r configuration. Starting from s$, y deterministically pops the stack symbol by symbol remaining in 
sq. When every symbol in A has been popped (hence, the stack content is 4 • ... • (ij, \\) ■ . . . ■ i\ ■ b), 5? can 
choose to continue to pop the stack symbol by symbol by moving at each step to O-configurations and 
by keeping track in its finite control of the string w s and whether a marked integer in [n] has been already 
popped. Additionally, whenever a symbol in [n] U [n] x {tj} is popped, y can choose to move without 
changing the stack content to a terminal /^-configuration, where p G {prev, succ, match, no match 

}, such 

that the following holds: p = succ (resp., p = prev) if an integer in [n] is popped and no (resp., some) 
marked integer has been previously popped, and p = match (resp., p = no matc h) if a marked integer (h, \\) 
(note that h = ij) is popped and w s = u\ (resp., w s ^ u' h ). 

We use the following CTL(EF, EX, AG, AX) formula (j) in order to select strategy trees of y such 
that: (1) each endj-rvoAe has two children (i.e., a child labeled by J_i and a child labeled _l_2)> and (2) 
for each t = 1,2, the subtree rooted at any _l r node is an extension of a f-witness. In order to fulfill the 
second requirement, first, we need to ensure that from each _L ; node (t = 1,2), there is a unique main 
path. Note that this last condition is equivalent to require that each a-node with a € A in a _L f -node rooted 
subtree has exactly one child (this can be easily expressed in CTL(EF, EX, AG, AX), since the strategies 
trees of y are minimal A/Mabeled trees). Second, we need to ensure that each T f -node has a O-child x 
such that the subtree rooted at x is a finite chain. Hence, formula <p is given by 

AG(end 2 -> /\ t=l 2 EX(_L, A AG[(V aeA a -> Unique) A (T, -> EXO) A (0 -> {tyunique A EF AX-itrue) )] ) ) 
where \j/unique = VpeAP AX/). By Properties A and B above it easily follows that the strategy trees of y 
satisfying the CTL(EF, EX, AG, AX) formula 0, also satisfy the well-formedness requirement. Hence, 
the set of strategy trees of y satisfying is the set of marked trees with witnesses. □ 

4.2 Decidability results 

The main result of this subsection is as follows. 

Theorem 5. PMC with imperfect information against ECTL restricted to stable OPDswith visible stack 
content depth and having only environment configurations is decidable and in 2EXPTIME. 

Theorem[5]is proved by a reduction to non-emptiness of Biichi alternating visible pushdown automata 
(AVPA) (21, which is 2ExPTlME-complete 0. First, we briefly recall the framework of AVPA. Then, 
we establish some additional decidability results. Finally, we prove Theorem [5] 

Biichi AVPA: A pushdown alphabet £ is a finite alphabet which is partitioned in three disjoint finite 
alphabets L caI1 , L ret , and L' nt , where L caI1 is a set of calls, YI et is a set of returns, and L mt is a set of 
internal actions. An AVPA is a standard alternating pushdown automaton on words over a pushdown 
alphabet E, which pushes onto (resp., pops) the stack only when it reads a call (resp., a return), and does 
not use the stack on internal actions. For a formal definition of the syntax and semantics of AVPA see HJ. 
Given a Biichi AVPA si over E, we denote by ££ (=e/) the set of nonempty finite or infinite words over E 
accepted by si (we assume that si is equipped with both a Biichi acceptance condition for infinite words 
and a standard acceptance condition for finite words). 
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Preliminary decidability results: For a module «y#, a minimal strategy tree ST min of ^# is a strategy 
tree satisfying the following: for each strategy tree ST of yt if ST is contained in ST m j n , then ST = ST m \ n . 
Given a CTL formula (p, we say that jtft minimally reactively satisfies (p, denoted ^# 9, if all the 

minimal strategy trees of ^ satisfy (p. Let j# be a stable module having only environment states and 
ST be a minimal strategy tree of jft. For each i > 0, let A, be the set of nodes x of ST at distance i from 
the root, i.e., such that \x\ = i. Since ST is minimal, it easily follows that for all i > and x,x* G A,-, 
vis(state(x)) = vis(state(x')). Now, let us consider a stable OPD y = (AP,Q,qQ,r,\>,A,jj.,Env) with 
visible stack content depth and having only environment configurations. By RemarkQ] is stable. Let 
ST be a minimal strategy tree of y and for each i > 0, let A, be defined as above (w.r.t. strategy ST). By 
the above observation, it easily follows that for each i > such that A,+i 7^ 0, there are X C / (where / is 
the set of visible control state variables of S") and X;r C / r (where Ir is the set of visible stack content 
variables of y) such that one of the following holds: 

• each node x in A, + i is obtained from the parent node by an internal transition (depending on x) of 
the form q — > q' such that vis(g') = X;; 

• each node x in A,-_|_i is obtained from the parent node by a push transition (depending on x) of the 
form q push( - 7 \ q' suc h that vis(</) = X,- and vis(y) = X r; 

• each node x in A,-+i is obtained from the parent node by a pop transition (depending on x) of the 

form q P ° P ^> q' such that vis(</) = X,. 

Let E y be the pushdown alphabet defined as follows: E™" = {(push,X,Xr) | X = vis(g) and Xp = 
vis(y) for some q G Q and 7 G T}, E*^ = {(mf,X) | X = vis(<7) for some q G g}, and L r p = {(pop,X) | 
X = vis(g) for some g g}. Thus, we can associate to each finite (resp., infinite) minimal strategy tree 
ST of y a finite (resp., infinite) word over E ^, denoted by w(ST). Moreover, for each word w over E y, 
there is at most one minimal strategy tree ST of y such that w(ST) = w. This observation leads to the 
following theorem, where E_y is the pushdown alphabet Ly U {push, pop}, with /jms/j being a call, and 
pop a return. 

Theorem 6. Given a stable OPD y with visible stack content depth and having only environment 
configurations and a CTL formula (p, one can construct in linear-time a Buchi AVPA overHy such 
that there is a minimal strategy tree of y satisfying (p iff y(srf) ^ 0. 

Proof. The proposed construction is a generalization of the standard alternating automata-theoretic ap- 
proach to CTL model checking [15]. Here, we informally describe the main aspects of the construc- 
tion. Let y = (AP,P,p ,r,b,A,jj.,Env). W.l.o.g. we assume that the initial configuration of y is non- 
terminal. For a word w over ~Ly, we denote by ext(w) the word over Ly obtained from w by replacing 
each occurrence of a return symbol (pop,X) in w with the word {pop, X), pop, push. We construct a 
Buchi AVPA srf over Ey such that for each non-empty word w over Ly, has an accepting run over 
w if and only if w = ext(w) for some word w over Ly and there is a minimal strategy tree ST of y 
such that w = w(ST) and ST satisfies (p. Essentially, for each word w over Ly associated with some 
minimal strategy tree ST of y, an accepting run r of srf over extiw) encodes ST as follows: the nodes 
of r associated with the z'-fh symbol of w correspond to the nodes of ST at distance i from the root. 
However, for each node x of ST, there can be many copies of x in the run r. Each of such copies has the 
same stack content as x, but its control state is equipped with additional information including one of the 
subformulas of (p which holds at node x of ST. 

The AVPA s$ has the same stack alphabet as y . Its set of control states is instead given by the set of 
tuples of the form (p, y, y,f), where (p, 7) G P x (TU {b}), l/ns a subformula of cp, and / is an additional 
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state variable in {sim, pop, push}. Intuitively, p represents the current control state of 5? and /represents 
the guessed top symbol of the current stack content. Furthermore, / is used to check that the input word 
is an extension of some word over Ly. The additional symbols pop and push in Ly are instead used to 
check that the guess 7 is correct. The behavior of si as follows. Assume that a copy of si is in a control 
state of the form (p',Y , y 1 ,sim) and the current input symbol is a, where p' is the current control state of 
5? and / is the top symbol of the current stack content (initially, si is in the control state (po, t>, (p,sim)). 
If a € {pop, push}, then the input is rejected. If instead a is call (resp., an internal action) in Ly, then 
the considered copy of si simulate push (resp., internal) transitions of 3 from the current configuration 
(of the form (/?', a) such that top(a) = /) consistent with a if such transitions exist by splitting in one 
or more copies (depending on the number of simulated transitions and the structure of \\f), each of them 
moving to a control state of the form (p, 7, y,sini). Note that in this case, si can ensure that the guess 
7 is correct. Now, assume that a is a return in Ly. Then, the considered copy of si guesses a stack 
symbol 7 € TU {b} and simulate pop transitions of 5? from the current configuration consistent with 
a (if such transitions exist) by splitting in one or more copies (depending on the number of simulated 
transitions and the structure of y), each of them moving to a control state of the form (p,y,y,pop). In 
the next step, the input symbol must be pop (otherwise, the input is rejected). Thus, the current copy 
in control state (p,y,y,pop) pops the stack and check whether the guess 7 is correct. If the guess is 
correct, then the copy moves to the control state (p,y,\j/,push) (otherwise, the run is rejecting). In the 
next step, the input symbol must be push (otherwise, the input is rejected). Thus, the considered copy 
re-pushes 7 onto the stack and moves to control state (p,y,y,sim). Assuming that the input word is 
ext{w) for some nonempty word w over Ly, the above behavior ensures, in particular, that whenever an 
input symbol in Ly is read, si is in a control state of the form (p, 7, y,sim), where 7 is the top symbol 
of the current stack content. Finally, si checks whether w is associated with some minimal strategy tree 
of y as follows. First, we observe that a nonempty word w over Ly is not associable to any minimal 
strategy tree of 3* iff the following holds. There is a proper prefix w' of w of length i for some i > 
such that W is the prefix of w{ST) for some minimal strategy tree ST of 3 such that: there is a node 
x of ST at distance i+ 1 from the root whose configuration (p,cc) has some successor, but there is no 
transition from (p,a) which is consistent with the i+ 1-th symbol of w. Thus, whenever a copy of si 
reads a symbol a G Ly, hence the considered copy is in a control state of the form (p, 7, y,sim) (where 
p is the current control state of and 7 is the top symbol of the current stack content), si rejects the 
input string if: the current configuration of 3 has some successor (i.e., (p, 7) is non-terminal), but there 
is no transition from the current configuration which is consistent with the current input symbol a. □ 

Since non-emptiness of AVPA is 2ExPTlME-complete 0, by Theorem [6] we obtain the following. 

Corollary 1. Checking whether ^y \= r , m in <P, fo r a given CTL formula (p and a given stable OPD 3 
with visible stack content depth and having only environment configurations, is in 2EXPTIME. 

Proof of TheoremHJ let <p be an ECTL formula over AP. Note that for all 2 AP -labeled trees T and T' , if 
T is contained in T' and T satisfies (p, then T' satisfies <p as well. Note that for a given module each 
strategy tree of contains some minimal strategy tree. Hence, for an ECTL formula q>, ^# \= r q> if and 
only if ^# \= r ,min 9- Thus, Theorem [5] directly follows from Corollary [TJ Finally, for completeness, we 
observe that unrestricted PMC with imperfect information against ACTL is trivially decidable. Indeed for 
an ACTL formula q> and module ^# \= r (p iff the maximal strategy tree of ^# (i.e., the computation 
tree of ^# starting from the initial state) satisfies (p. Hence, PMC with imperfect information against 
ACTL is equivalent to standard pushdown model checking against ACTL, which is in Exptime |fT9l . 

Proposition 3. PMC with imperfect information against ACTL is in EXPTIME. 
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5 Conclusion 

There is an intriguing question left open. We have shown the PMC with imperfect information for stable 
OPDs with visible stack content depth and having only environment configurations is undecidable for 
the fragment CTL(EF, EX, AG, AX) of CTL, and decidable for the fragments ECTL and ACTL of CTL. 
Thus, it is open the decidability status of the problem above for the standard EF-fragment of CTL (using 
just the temporal modality EF and its dual AG). We conjecture that the problem is decidable. 
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